Execs Fear Orgs Unprepared for Incident Response

Executive-level security professionals fear their organizations are not well positioned to respond to a cyber-attack, according to the results of a new poll from Deloitte.

In a poll of more than 3,150 security professionals across all industries and sectors taken during a webcast on cyber preparedness and war-gaming, survey respondents indicated that in large part, cybersecurity remains siloed. As a result, many employees across the organizations are not well versed in how to respond to a cyber incident. In addition, participants reported that they were only somewhat confident in their organization’s ability to respond to and remediate a cyber incident despite the reality that their organizations had experienced a cybersecurity incident within the past 12 months.

While it's become commonplace to espouse that all employees play a role in cyber awareness, 30% of CEOs and executive-level respondents said their greatest challenge is that employees don’t understand the organization’s incident response plan. That lack of understanding seems to correlate with a lack of resources. For 20% of respondents, a lack of access to the funding, tools and skills needed to respond to cyber incidents is a handicap.

“We used to say it’s ‘not if, but when’ an organization will experience a cyber incident. That message has evolved well beyond a single incident to ‘how often’ or ‘how to respond to and withstand persistent attacks,’” said Andrew Morrison, principal, Deloitte Risk and Financial Advisory Cyber Risk Services, Deloitte & Touche LLP, in a press release.

“Improving internal processes and providing employees with the knowledge, practice and skills needed to succeed can help organizations mitigate risk through preparedness, as well as increase overall business resilience to future attacks.”

Yet nearly half of respondents (49%) said that their organizations do not conduct cyber war-gaming exercises so that all employees can better understand what to do in the event of a cyber incident. As a result, 34% of participants reported not knowing their own role within their organization’s cyber incident response plan.

“Cyber war games are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organization needs during, after and preparing for the next cyber incident,” said Daniel Soo, cyber war-gaming leader for Deloitte cyber risk services and Deloitte Risk and Financial Advisory principal.

“The most impactful war games are those that use live knowledge of an organization’s current threat environment to support the decision-making process across operations, finance, regulatory, marketing and beyond.”